The source article is a low-quality content farm with no real reporting. The RNZ timeline provides the authoritative facts. Writing from confirmed sources:

title: "Intel Brief: Manage My Health — Kazu Ransomware Attack, 120,000 Patient Records" date: 2026-03-31 slug: manage-my-health-nz-ransomware

Intel Brief: Manage My Health — Kazu Ransomware Attack, 120,000 Patient Records

New Zealand patient portal Manage My Health confirmed on December 31, 2025 that it had been breached by a threat actor going by the alias "Kazu," who claimed to have exfiltrated 108GB of data — 428,337 files — from the platform's systems. The attacker demanded US$60,000 ransom with a January 15 deadline, threatening to publish the data on the dark web. Manage My Health serves approximately 1.8 million registered users across New Zealand; the company estimated 6–7% of its user base was affected, equating to roughly 120,000 to 127,000 individuals. The New Zealand Office of the Privacy Commissioner, Health NZ, and police were all notified. This is one of the largest privacy breaches in New Zealand history.

What Happened

On December 30, 2025 (NZ time), a threat actor posting under the alias "Kazu" announced on a hacker forum that they had breached Manage My Health, publishing a sample of stolen data as proof of compromise. Kazu claimed possession of 108GB of data comprising 428,337 files including patient names, medical records, test results, and prescription details, and demanded US$60,000 ransom by January 15, 2026.

Manage My Health confirmed the breach the following day, December 31, with founder Vino Ramayah stating the incident was under investigation alongside law enforcement and independent cybersecurity specialists. On January 1, the company disclosed the scope: an estimated 6–7% of its 1.8 million registered users may have been impacted, with patient notification expected within 48 hours. The breach was characterized as "contained."

New Zealand's Health Minister Simeon Brown described the incident as "concerning" but said it would have no clinical impact on patients — meaning no treatment data was altered. Duty minister Karen Chhour called it "incredibly concerning." Health NZ confirmed its own systems were not affected; Manage My Health is a privately operated patient portal integrated with but separate from the national health system.

Kazu has a documented history of similar operations. A Nepali digital forensics firm had previously attributed a July 2025 breach of Nepal's Ministry of Education — stealing 1.4TB of student data — to the same actor. Similar claims have been attributed to Kazu against a doctors group in Texas, the Colombian Ombudsman, the Thai Department of Agricultural Extension, the Kuwait Ministry of Public Works, and the Bolivian Navy, suggesting a pattern of opportunistic attacks against under-resourced public sector and health sector targets across multiple countries.

What Was Taken

Per Kazu's claims and Manage My Health's confirmation:

Patient names and contact details — personally identifiable information for approximately 120,000–127,000 individuals
Medical records — patient health histories accessible through the portal
Test results — laboratory and diagnostic results
Prescription details — medication history and current prescriptions
Total volume: 108GB across 428,337 files

Manage My Health has not published a full inventory of compromised data fields. The company confirmed the breach was "contained" but has not confirmed whether all exfiltrated data has been recovered or destroyed.

Why It Matters

Patient health data is the highest-sensitivity PII category. Medical records, test results, and prescription histories cannot be changed after exposure. Unlike a financial credential breach — where cards can be cancelled and accounts frozen — the exposure of someone's medical history, mental health records, or prescription details is permanent and can affect employment, insurance, and personal relationships for years.

Manage My Health is a patient portal intermediary, not a hospital. This matters architecturally: the breach did not involve Health NZ's core clinical systems, but it accessed data that patients had shared through a third-party integration layer. The attack surface for healthcare extends beyond hospital IT — it includes every vendor, portal, and integration point that touches patient data. Health NZ's clean status is not the full story.

Kazu is an active, multi-jurisdiction threat actor. The breadth of attributed incidents — spanning Nepal, New Zealand, Texas, Colombia, Thailand, Kuwait, and Bolivia — confirms this is not an opportunistic one-off. The actor actively hunts healthcare and government targets in jurisdictions with historically weak cyber defenses, suggests automated scanning for known vulnerabilities or exposed credential access, and operates with a low ransom demand strategy designed to encourage payment while avoiding law enforcement escalation.

US$60,000 is a deliberately accessible demand. Ransomware groups targeting large enterprises set demands in the millions. Kazu's sub-$100,000 demand against a platform serving 1.8 million users is designed to maximize payment probability — the cost of non-payment (breach notification, regulatory fines, reputational damage) easily exceeds the ransom. This model is increasingly common against mid-market health tech targets.

The Attack Technique

The specific initial access vector for the Manage My Health breach has not been publicly confirmed. Based on Kazu's pattern across multiple attributed incidents:

Exploitation of publicly exposed web application vulnerabilities — patient portals typically have internet-facing login interfaces and API endpoints that are frequently tested against known CVEs
Credential-based access — stolen or brute-forced credentials for administrative or database accounts
Third-party integration compromise — patient portals integrate with GP practice management software; a compromise of a connected practice system could provide a pivot path into the portal's data layer

The 108GB exfiltration of 428,337 files suggests database-level or file system access rather than screen-scraping or API-level exfiltration, pointing toward privileged access to backend infrastructure.

What Organizations Should Do

Audit all third-party patient portal and health integration vendors immediately. Every vendor with access to patient data is an attack surface. Require evidence of penetration testing, vulnerability management programs, and incident response plans from any vendor touching clinical or patient-identifying data.
Enforce MFA on all administrative and database access. Health sector targets are frequently compromised via credential theft against accounts that lack multi-factor authentication. No account with access to patient data should be operable with a password alone.
Segment patient data from operational infrastructure. If an attacker compromises a web application layer, they should not have a direct path to bulk patient record exports. Database access should require separate authentication and should be rate-limited or monitored for bulk query operations.
Implement data exfiltration detection. 108GB transferred out of a health platform is detectable. DLP controls, egress traffic monitoring, and anomaly detection on database query volumes should be baseline requirements for any platform holding patient records.
Establish and test your breach notification playbook before an incident. New Zealand's Privacy Act 2020 mandates notification of the Privacy Commissioner for serious breaches. Health organizations should have pre-drafted notification templates, a defined escalation chain, and tested procedures for identifying affected individuals within the 72-hour window regulators expect.
Monitor dark web markets for your organization's data. Kazu published a sample as proof of compromise before the deadline. Active monitoring of breach forums and dark web marketplaces would have surfaced this claim hours before the ransom deadline, providing additional response time.